Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query for times

xvxt006
Contributor
‎07-23-2013 02:47 PM

Hi,

i would like to count how many uris that have response times greater than the 90th percentile times for response times greater than x secs..Say 30 secs and list them out.

I tried this. But it is not resulting any results
sourcetype="access_combined_wcookie" host=xxxx Time>30 | eventstats perc90(Time) as hightimes by uri_path | where Time>highimes | table uri_path, count, hightimes

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎07-23-2013 07:02 PM

I'm pretty sure that the relevant field name in access_combined_wcookie is called req_time, rather than Time. At least, in the default access extractions that ship with Splunk there is no extracted field called Time.

If you run these searches are you getting extracted values for Time? Or only for req_time?

sourcetype="access_combined_wcookie" host=xxxx | table Time req_time

Otherwise you're close. You have one little typo (highimes != hightimes), and if you want a "count" field, you need another stats on the end to roll it up.

Here you go, assuming again that req_time is the field name and not Time.

sourcetype="access_combined_wcookie" host=xxxx req_time>30 | eventstats perc90(req_time) as hightime by uri_path | where req_time>hightime | stats count last(hightime) as hightime by uri_path

0 Karma
Reply

sideview
SplunkTrust
SplunkTrust
‎07-23-2013 09:42 PM

Because of the | where req_time>hightime , the rows coming into that stats clause will only be the rows where the req_time is higher than the 90th percentile value. then the stats clause will give, for each uri_path, count (number of rows higher than 90th percentile) and last(hightime) as hightime (which is just the 90th percentile value).

0 Karma
Reply

xvxt006
Contributor
‎07-23-2013 09:13 PM

what does it mean by - stats count last(hightime) as hightime. Say if the 90th percentile time is 15.6 secs but there are another 5 instances where the time is greater than 15.6 secs. Does this give count as 5? and also would it show the hightime (90th percentile) as 15.6?

0 Karma
Reply

xvxt006
Contributor
‎07-23-2013 08:54 PM

BTw, i tried the modified query but not getting any data

0 Karma
Reply

xvxt006
Contributor
‎07-23-2013 08:52 PM

Hi Thanks for your reply. Just to be on the same page, i am looking for count of each uri for which response time is greater than the 90th percentile time. You are right, the field name is not time.

Like below.

URI COUNT 90thPercentile
xxxx 10 15.6 secs
yyyy 5 10.23
zzzz 14 9.78

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...